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Amendments to the Claims : 
This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 

1 . (Currently Amended) A computer-readable medium or propagated signal having 
embodied thereon a computer program configured to determine whether a user is permitted to 
access a business object when executing a software application of an enterprise information 
technology system, the medium or signal comprising one or more code segments configured to: 

use a permission object to determine whether a user associated with an entry in user 
information is permitted to access a data object associated with a data object type, wherein: 

the entry in the user information associates the user with a user affiliation, 

the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data object 
type is associated with multiple attributes and each data object having the data object type 
is associated with the multiple attributes, 

a permission attribute identifying one of the multiple attributes, and 
a permission value for the permission attribute, and 
the user is permitted to access the data object when (1) the user affiliation that is 
associated with the user is the same user affiliation as the user affiliation to which the permission 
object applies, (2) the data object type of the data object is the same data object type as the data 
object type to which the permission object applies, and (3) a value of an attribute of the multiple 
attributes associated with the data object is consistent with the permission value of the 
permission attribute and the attribute corresponds to the permission attribute. 



2. (Currently Amended) The medium or signal of claim 1 wherein the one or more code 
segments are further configured to permit the user to access the data object when the value of the 
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attribute of one of the multiple attributes associated with the data object is the same as the 
permission value of the permission attribute. 

3. (Currently Amended) The medium or signal of claim 1 wherein the one or more code 
segments are further configured to permit the user to access the data object when the value of the 
attribute of one of the multiple attributes associated with the data object is the within a range 
specified by the permission value of the permission attribute 

4. (Currently Amended) The medium or signal of claim 1 wherein the one or more code 
segments are further configured to permit the user to access the data object when the value of the 
attribute of one of the multiple attributes associated with the data object is one of enumerated 
values specified by the permission value of the permission attribute. 

5. (Currently Amended) The medium or signal of claim 1 wherein: 

the permission object identifies an attribute group having one or more attributes of the 
multiple attributes associated with the data object type, and 

the one or more code segments are further configured to permit the user to access an 
attribute of the data object only when the attribute of the data object corresponds to an attribute 
of the attribute group of the permission object. 

6. (Currently Amended) The medium or signal of claim 5 wherein: 

the permission object identifies a second attribute group having one or more attributes of 
the multiple attributes associated with the data object type, a second permission attribute 
identifying one of the multiple attributes, and a second permission value for the second 
permission attribute, associates the second permission attribute and the second permission value 
with the second attribute group, and associates the permission attribute and permission value 
with the attribute group, and 

the one or more code segments are further configured to permit the user to access an 
attribute of the data object only when the attribute of the data object corresponds to an attribute 
of the second attribute group of the permission object and a value of an attribute of one of the 
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multiple attributes associated with the data object is consistent with the second permission value 
of the second permission attribute. 

7. (Currently Amended) The medium or signal of claim 1 wherein: 
the permission object identifies a permitted action, and 

the one or more code segments are further configured to permit the user to access the data 
object and perform an action on the data object when the action is consistent with the permitted 
action identified in the permission object. 

8. (Original) A method for determining whether a user is permitted to access a business 
object when executing a software application of an enterprise information technology system, the 
method comprising: 

using a permission object to determine whether a user associated with an entry in user 
information is permitted to access a data object associated with a data object type, wherein: 
the entry in the user information associates the user with a user affiliation, 
the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data object 
type is associated with multiple attributes and each data object having the data object type 
is associated with the multiple attributes, 

a permission attribute identifying one of the multiple attributes, and 
a permission value for the permission attribute, and 
the user is permitted to access the data object when (1) the user affiliation that is 
associated with the user is the same user affiliation as the user affiliation to which the permission 
object applies, (2) the data object type of the data object is the same data object type as the data 
object type to which the permission object applies, and (3) a value of an attribute of the multiple 
attributes associated with the data object is consistent with the permission value of the 
permission attribute and the attribute corresponds to the permission attribute. 



Applicant : Tom Cheng et al. Attorney's Docket No.: 13914-033001 / 2003P00877 US 

Serial No. : 10/720,447 

Filed : November 25, 2003 

Page : 5 of 14 

9. (Original) The method of claim 8 further comprising permitting the user to access the 
data object when the value of the attribute of one of the multiple attributes associated with the 
data object is the same as the permission value of the permission attribute. 

10. (Original) The method of claim 8 further comprising permitting the user to access 
the data object when the value of the attribute of one of the multiple attributes associated with 
the data object is the within a range specified by the permission value of the permission attribute. 

1 1 . (Original) The method of claim 8 further comprising permitting the user to access 
the data object when the value of the attribute of one of the multiple attributes associated with 
the data object is one of enumerated values specified by the permission value of the permission 
attribute. 

12. (Original) The method of claim 8 wherein the permission object identifies an 
attribute group having one or more attributes of the multiple attributes associated with the data 
object type, the method further comprising permitting the user to access an attribute of the data 
object only when the attribute of the data object corresponds to an attribute of the attribute group 
of the permission object. 

13. (Original) A computer system for determining whether a user is permitted to access 
a data object when executing a software application of an enterprise information technology 
system, the system comprising: 

a data repository for access control information for software having data objects, each 
data object (1) being associated with a data object type having multiple attributes, (2) having 
multiple attributes that are the same as the multiple attributes of the data object type to which the 
data object is associated, and (3) having a value associated with each attribute of the multiple 
attributes, the data repository including: 

user information that associates a user affiliation with a user of the software 

application, and 
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permission information having multiple permission objects, each permission 
object identifying a user affiliation to which the permission object applies, a data object 
type to which the permission object applies, a permission attribute identifying one of the 
multiple attributes, and a permission value for the permission attribute; and 
an executable software module that causes: 

a comparison of a value of an attribute of the multiple attributes associated with a 
data object to which a user seeks to access such that the attribute corresponds to the 
permission attribute of a permission object with the permission value of the permission 
object, and 

an indication that a user is permitted to access a data object when the value of the 
attribute associated with the data object is consistent with the permission value of the 
permission object. 

14. (Original) The system of claim 13 wherein the executable software module causes 
an indication that a user is permitted to access the data object when the value of the attribute of 
one of the multiple attributes associated with the data object is the same as the permission value 
of the permission attribute. 

15. (Original) The system of claim 13 wherein the executable software module causes 
an indication that a user is permitted to access the data object when the value of the attribute of 
one of the multiple attributes associated with the data object is the within a range specified by the 
permission value of the permission attribute. 

16. (Original) The system of claim 13 wherein the executable software module causes 
an indication that a user is permitted to access the data object when the value of the attribute of 
one of the multiple attributes associated with the data object is one of enumerated values 
specified by the permission value of the permission attribute. 



17. (Original) The system of claim 13 wherein: 
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the permission object identifies an attribute group having one or more attributes of the 
multiple attributes associated with the data object type, and 

the executable software module causes an indication that a user is permitted to access an 
attribute of the data object only when the attribute of the data object corresponds to an attribute 
of the attribute group of the permission object. 

18. (Original) The system of claim 17 wherein: 

the permission object identifies a second attribute group having one or more attributes of 
the multiple attributes associated with the data object type, a second permission attribute 
identifying one of the multiple attributes, and a second permission value for the second 
permission attribute, associates the second permission attribute and the second permission value 
with the second attribute group, and associates the permission attribute and permission value 
with the attribute group, and 

the executable software module causes an indication that a user is permitted to access an 
attribute of the data object only when the attribute of the data object corresponds to an attribute 
of the second attribute group of the permission object and a value of an attribute of one of the 
multiple attributes associated with the data object is consistent with the second permission value 
of the second permission attribute. 

19. (Original) The system of claim 13 wherein: 

the permission object identifies a permitted action, and 

the executable software module causes an indication that a user is permitted to access the 
data object and perform an action on the data object when the action is consistent with the 
permitted action identified in the permission object. 

20. (New) The medium of claim 1 wherein: 

the permission object identifies a permitted action, and 

the one or more code segments are further configured to permit the user to access the data 
object and perform one or more database operations on the data object when the action is 
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consistent with the permitted action identified in the permission object, where the database 
operations comprise create, read, update and delete. 



